This is a follow up to my earlier post on the forceTimebasedAutoLB setting for outputs.conf.
There was some discussion (read: prove it to me) on the IRC channel about how would this feature behave with multi-line events or double byte characters. Well, you will be glad to know it worked flawlessly.
My events are from a Japanese Windows instance:
I sent over 500,000 events using the oneshot command from the UF.
And it worked as expected.
Lastly, there was some talk about data munging. Meaning part of one event being incorrectly added to another event. This can happen when Splunk doesn’t break a multi-line event proper. In my test, I didn’t even setup a BREAK_ONLY_BEFORE or LINE_BREAKER rule on the indexers, and just ran with the defaults. To make sure non of the events were munged, I did a search on the size of each event:
Well there you go duckfez. Hopefully I’ve proven to you that the feature is as awesome as you hoped it would be. =)